Patients at The Smile Center in St. Paul, Minnesota don’t have much to smile about this week. Bill Keller reports on another disturbing breach – one that reportedly occurred four months ago but victims are first being notified now:
Delta Dental is announcing that personal information used in a lawsuit between the company and a St. Paul dentist’s office is missing after a laptop used in the case by an expert witness was stolen from an office at the University of Minnesota.
Though the multi-million dollar suit was settled in April, a disk loaded with personal information is proving unsettling now that it could fall into the hands of identity thieves.
On Monday, Laurie Manke-Senne said she received a note from her dental insurance carrier notifying her that her personal information had been stolen.
“It’s unnerving because our personal information is out there,” she said. “It wasn’t encrypted.”
Delta Dental said it has taken steps to protect its clients from identity theft; however, when the computer disappeared, the state’s largest dental insurer said The Smile Center never told its patients their medical records had been compromised.
Neither Delta Dental nor The Smile Center would say how many people were affected by the theft, but the missing data includes patients at the St. Paul office who were insured by Delta between Jan. 1, 2003 and June 30, 2010.
The Smile Center’s other four offices were not affected.
In a statement, Delta Dental said it has “no indication that the information has been inappropriately accessed, misused or further disclosed.”
So far, it seems the target of the theft was the laptop alone — not the data, but that offers little comfort to those still at risk.
Source: Fox9
Fox9’s news coverage (see video below) indicates that the PHI on the stolen laptop included names, dates of birth, and Social Security numbers.
Not only did The Smile Center reportedly not inform their patients of the breach, but it seems that neither Delta Dental nor The Smile Center are taking full responsibility for the breach because the data were in the possession of a third party – an expert witness in the lawsuit. That said, Delta Dental is offering patients free credit monitor and credit restoration services.
So what will HHS do with this breach? Has anyone reported it to HHS yet? I expect that we will see this one on their breach tool but it will be quite a while before we see what, if anything, HHS/OCR does. This might be an appropriate incident to issue a fine for not notifying patients in a timely fashion.
Update 1: Delta Dental issued a statement. The statement indicates:
The disc contained the names, dates of births, Social Security numbers and limited dental claims data (dental codes, amounts paid, dentist ID numbers) for certain individuals covered by Delta Dental who were patients of The Smile Center dental clinics between January 1, 2003 and June 30, 2010. The disc also contained similar data for certain public programs enrollees, but did not contain Social Security numbers for those enrollees.
The statement seems to put the responsibility for notification on The Smile Center:
As part of a lawsuit between Delta Dental and The Smile Center dental clinics, Delta Dental was required to provide the disc containing the data to The Smile Center dental clinics, their law firm, and their expert witness. Delta Dental turned over the disc under the terms of a protective order entered by the court in the lawsuit. The Smile Center dental clinics, their law firm, and their expert witness were required by the court order to protect the disc and the data. At the time of the theft, the disc was in the custody and control of the expert witness for The Smile Center dental clinics at his University of Minnesota office.
In response to my tweet earlier today about how patients were not notified of the breach that Fox9 says occurred four months ago, @DeltaDentalMN tweeted:
@PogoWasRight False. Delta Dental notified ALL individuals whose Social Security numbers were on stolen disc. http://tinyurl.com/3myz3wn
I replied, asking them to confirm *when* the laptop was stolen and *when* they notified patients. If I get a response, I’ll update this entry.
Note that I did not and am not asserting that it was Delta Dental’s responsibility to notify the patients. My original point was that a breach seemingly happened and patients weren’t notified and someone should be held accountable for that – and nothing that I’ve read since my original post changes that opinion.